Application URI Configuration Changes

Aug 12, 2024 · attack.t1528 attack.t1078.004 attack.persistence attack.credential-access attack.privilege-escalation ·

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Sigma rule (View on GitHub)

 1title: Application URI Configuration Changes
 2id: 0055ad1f-be85-4798-83cf-a6da17c993b3
 3status: test
 4description: |
 5    Detects when a configuration change is made to an applications URI.
 6    URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.    
 7references:
 8    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
 9author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
10date: 2022-06-02
11tags:
12    - attack.t1528
13    - attack.t1078.004
14    - attack.persistence
15    - attack.credential-access
16    - attack.privilege-escalation
17logsource:
18    product: azure
19    service: auditlogs
20detection:
21    selection:
22        properties.message: Update Application Sucess- Property Name AppAddress
23    condition: selection
24falsepositives:
25    - When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
26level: high

References

Microsoft Entra security operations for applications - Microsoft Entra

Learn how to monitor and alert on applications to identify security threats.

Read More

Application URI Configuration Changes

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for applications - Microsoft Entra

Related rules